Notifications
Clear all
Topic starter
17/05/2026 9:35 am
TL;DR: Identity risk, standing privilege, and AI governance are converging into one operating problem for enterprises, with Delinea and NCC Group framing the shift around board-level communication, just-in-time access, and control of shadow AI, machine identities, and agentic workflows. The governance gap is now structural: privilege design, not just credential hygiene, determines how far identity-driven attacks can travel.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams reduce standing privilege in identity-first environments?
A: Start by classifying privileged access as temporary unless there is a documented operational reason for persistence.
Q: Why do non-human identities complicate zero-trust architecture?
A: Non-human identities complicate zero-trust architecture because they often operate continuously, hold machine-readable secrets, and access systems at high speed without interactive user checks.
Q: What is the difference between just-in-time access and standing privilege?
A: Just-in-time access grants privilege only for a defined task window, while standing privilege remains active until someone removes it.
Practitioner guidance
- Define an identity risk metric the board can use Translate standing privilege, privileged account count, and unmanaged NHI exposure into a small set of business-facing metrics that map to outage, breach, and change-risk scenarios.
- Inventory all non-human identities with privilege Build a current inventory of service accounts, API keys, certificates, tokens, and AI agents, then classify each by owner, purpose, lifespan, and access scope.
- Replace persistent access with task-scoped approvals Use just-in-time access for high-risk operations and require time-bound approval, logging, and revocation for elevated actions taken by humans or agents.
The practical signal is that entitlement review, exception handling, and audit logging have to become continuous capabilities, not quarterly exercises?
👉 Watch Delinea and NCC Group's webinar on identity-first enterprise security →
Explore further
17/05/2026 9:35 am
Identity-first security is becoming the operating model for NHI governance, not just an architecture preference. Once cloud automation and AI workflows can execute actions directly, identity becomes the control plane that determines reach, duration, and auditability. Security teams that still treat identity as an access-admin function will miss the fact that identity is now where policy enforcement happens. The practitioner conclusion is simple: if identity is the perimeter, governance must be continuous rather than periodic.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: How can organisations govern AI agents without slowing operations?
A: Give AI agents narrowly scoped permissions, define which tools they may use, and log every privileged action with clear ownership. Governance should focus on action boundaries and exception handling, not on blocking all automation. The goal is to keep autonomy useful while preventing agents from inheriting broad, persistent access.
👉 Read our full editorial: Identity-first enterprise security needs ZSP and AI governance
